summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorYi Fan Yu <yifan.yu@windriver.com>2021-01-15 12:41:29 -0500
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-01-16 22:39:36 +0000
commitfef6ec93b50551b3610a3087cdd6a90564cc51a4 (patch)
treedc35b8a0ba2d100b0a59cc26ccdbe31c74df67de /meta
parent615cb60fd4e3f71293f7debb9dd19a183437ad4d (diff)
downloadpoky-fef6ec93b50551b3610a3087cdd6a90564cc51a4.tar.gz
binutils: Fix CVE-2020-35448
Fix related to a buffer overflow in bfd library CVE Details https://nvd.nist.gov/vuln/detail/CVE-2020-35448 Upstream Tracking https://sourceware.org/bugzilla/show_bug.cgi?id=26574 Patch from Upstream https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; h=8642dafaef21aa6747cec01df1977e9c52eb4679 (From OE-Core rev: cb83312131f6c4f69d89d639085e07ea1f53167e) Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.35.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch85
2 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.35.1.inc b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
index c92cb75543..775af2b8f2 100644
--- a/meta/recipes-devtools/binutils/binutils-2.35.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.35.1.inc
@@ -43,5 +43,6 @@ SRC_URI = "\
43 file://0016-Check-for-clang-before-checking-gcc-version.patch \ 43 file://0016-Check-for-clang-before-checking-gcc-version.patch \
44 file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \ 44 file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \
45 file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \ 45 file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \
46 file://CVE-2020-35448.patch \
46" 47"
47S = "${WORKDIR}/git" 48S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch
new file mode 100644
index 0000000000..3bc64776e5
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-35448.patch
@@ -0,0 +1,85 @@
1From 6caa41daeb7aa17c400b7300fb78d207cf064d70 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 4 Sep 2020 19:19:18 +0930
4Subject: [PATCH] PR26574, heap buffer overflow in
5 _bfd_elf_slurp_secondary_reloc_section
6
7A horribly fuzzed object with section headers inside the ELF header.
8Disallow that, and crazy reloc sizes.
9
10 PR 26574
11 * elfcode.h (elf_object_p): Sanity check section header offset.
12 * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
13 sh_entsize.
14
15Upstream-Status: Backport
16CVE: CVE-2020-35448
17
18Reference to upstream patch:
19https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
20 h=8642dafaef21aa6747cec01df1977e9c52eb4679
21
22Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
23---
24 bfd/elf.c | 4 +++-
25 bfd/elfcode.h | 8 ++++----
26 2 files changed, 7 insertions(+), 5 deletions(-)
27
28diff --git a/bfd/elf.c b/bfd/elf.c
29index fe375e7346..9f29166399 100644
30--- a/bfd/elf.c
31+++ b/bfd/elf.c
32@@ -12527,7 +12527,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd,
33 Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
34
35 if (hdr->sh_type == SHT_SECONDARY_RELOC
36- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
37+ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
38+ && (hdr->sh_entsize == ebd->s->sizeof_rel
39+ || hdr->sh_entsize == ebd->s->sizeof_rela))
40 {
41 bfd_byte * native_relocs;
42 bfd_byte * native_reloc;
43diff --git a/bfd/elfcode.h b/bfd/elfcode.h
44index f4a7829f27..54ef890637 100644
45--- a/bfd/elfcode.h
46+++ b/bfd/elfcode.h
47@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
48
49 /* If this is a relocatable file and there is no section header
50 table, then we're hosed. */
51- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
52+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
53 goto got_wrong_format_error;
54
55 /* As a simple sanity check, verify that what BFD thinks is the
56@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
57 goto got_wrong_format_error;
58
59 /* Further sanity check. */
60- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
61+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
62 goto got_wrong_format_error;
63
64 ebd = get_elf_backend_data (abfd);
65@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
66 && ebd->elf_osabi != ELFOSABI_NONE)
67 goto got_wrong_format_error;
68
69- if (i_ehdrp->e_shoff != 0)
70+ if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
71 {
72 file_ptr where = (file_ptr) i_ehdrp->e_shoff;
73
74@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
75 }
76 }
77
78- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
79+ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
80 {
81 unsigned int num_sec;
82
83--
842.29.2
85